---
---


<html xmlns="http://www.w3.org/1999/xhtml">

<head>
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

  <link rel="stylesheet" type="text/css" href="{{ site.baseurl }}/common/css/stylesheet.css"/>
  <link rel="stylesheet" href="{{ site.baseurl }}/common/css/stylesheet-fonts.css" type="text/css" charset="utf-8">
  <link rel="icon" href="{{ site.baseurl }}/common/css/favicon.ico" type="image/x-icon">
  <link rel="shortcut icon" href="{{ site.baseurl }}/common/css/favicon.ico" type="image/x-icon">
  <title>Discover credit card validation issue: Magento EE 1.9.1.1&mdash;.13.1.0 and CE 1.4.2.0&mdash;1.8.1.0</title>

</head>

<body>
<img src="{{ site.baseurl }}/guides/m1x/images/m1xheader.png" width="1024" alt="header" />
{% include m1x/eol_message.html %}


<!-- url: security-add-handler -->
<!-- title: Resolving a Remote Code Execution Exploit -->

<div class="toc"> <h4>Table of Contents</h4>
  <ul><li><a href="#overview">Overview</a></li>
    <li><a href="#affected">Versions Affected</a></li>
    <li><a href="#patch">Getting the Patch</a></li>
    <li><a href="#vulnerable">Determining Your Vulnerability to the File System Attack</a></li>
    <li><a href="#resolve">Resolving the File System Vulnerability</a></li>
  </ul></div>

<h2 id="overview">Overview</h2>
<p>We recently identified potential exploits that:</p>
<ul><li>Enable an attacker to execute arbitrary code on your Magento server.</li>
  <li>Create files with a <tt>.csv</tt> extension, create writable directories, and change the permission of existing files to world-writable (777).
  </li>
</ul>
<div class="msg-box important"><img src="{{ site.baseurl }}/guides/m1x/images/icon-note.png" alt="note" align="left" width="40"><span><strong>Note</strong>: The preceding exploits require the attacker to have administrative access to your Magento Admin Panel Dashboard. You can resolve these issues with the patch discussed in this article.</div>

<p>Creating files with a <tt>.csv</tt> extension can lead to executing files like <tt>php.csv</tt> (only under circumstances discussed in this article). The ability to run code with a <tt>.csv</tt> extension is dangerous itself and could be combined with other attacks; for example, targeting other software installed on the server.</p>
<p>You can resolve this issue by changing your server's configuration as discussed in <a href="#resolve">Resolving the File System Vulnerability</a>.</p>
<p>Although Magento code is protected by a hash value, the possibility of a successful exploit cannot be eliminated because of the low entropy of the hash secret value.</p>
<p>We strongly recommend you to take precautions discussed in this article <em>and</em> apply a patch for your version of Magento Enterprise Edition or Community Edition.</p>

<h2 id="affected">Versions Affected</h2>
<p><em>Magento software versions affected</em>: The issue affects all shipping versions of Magento Community Edition (CE) and Enterprise Edition (EE).</p>
<p><em>Operating system versions affected</em>:</p>
<ul><li>CentOS 5.x and 6.x</li>
  <li>RedHat Enterprise Linux 5.x and 6.x</li></ul>

<h2 id="patch">Getting the Patch</h2>
<p>The following table shows the patch you should get for your version of CE or EE.</p>
<table class="confluenceTable">
  <tbody>
  <tr>
    <th class="confluenceTh">Version</th>
    <th class="confluenceTh">Patch</th>
  </tr>
  <tr>
    <td class="confluenceTd">EE 1.13 and 1.14, CE 1.8 and 1.9</td>
    <td class="confluenceTd">SUPEE-1533_EE_1.13.x_v1.patch</td>
  </tr>
  <tr>
    <td class="confluenceTd">EE 1.12, CE 1.7</td>
    <td class="confluenceTd">SUPEE-1533_EE_1.12.x_v1.patch</td>
  </tr>
  <tr>
    <td class="confluenceTd">EE 1.11, CE 1.6</td>
    <td class="confluenceTd">SUPEE-1533_EE_1.11.x_v1.patch
    </td></tr>
  <tr>
    <td class="confluenceTd">EE 1.10.1, CE 1.5.1</td>
    <td class="confluenceTd">SUPEE-1533_EE_1.10.1.x_v1.patch</td>
  </tr>
  <tr>
    <td class="confluenceTd">EE 1.10.0.1, CE 1.5.0.1</td>
    <td class="confluenceTd">SUPEE-1533_EE_1.10.0.x_v1.patch</td>
  </tr>
  <tr>
    <td class="confluenceTd">EE 1.9</td>
    <td class="confluenceTd">SUPEE-1533_EE_1.9.x_v1.patch</td></tr>
  </tbody></table>

<p>To get and apply your patch, see <a href="{{ site.m1xgdeurl }}/other/ht_install-patches.html" target="_blank">How to Apply and Revert Magento Patches</a>.</p>
<div class="msg-box important"><img src="{{ site.baseurl }}/guides/m1x/images/icon-important.png" alt="important" align="left" width="40"><span><strong>Important</strong>: After applying your patch, Magento strongly recommends you evaluate your vulnerability and configure PHP as discussed in <a href="#resolve">Resolving the Vulnerability</a></span></div>


<h2 id="vulnerable">Determining Your Vulnerability to the File System Attack</h2>
<p>To determine if you're vulnerable to execution of PHP code with a non-PHP extension, search your web server configuration file for the following string:</p>
<pre>AddHandler application/x-httpd-php .php</pre>
<p>The Apache configuration file is typically <tt>/etc/httpd/conf/httpd.conf</tt></p>
<p>To confirm you're vulnerable:</p>
<ol><li>Create a file named <tt>test.php.csv</tt> anywhere in your web server's doocroot with the following contents:<br>
  <pre>&lt;?php
phpinfo()</pre></li>
  <li>In a web browser, display that page. (For example, <tt>http://www.example.com/path/test.php.csv</tt></li>
  <li>If your browser saves the file or prompts you to save the file instead of displaying it, your server is <em>not</em> vulnerable. You can ignore the rest of this article.</li>
  <li>If a page similar to the following displays, your server <em>is</em> vulnerable. Continue with the next section.<br>
    <img src="{{ site.baseurl }}/guides/m1x/images/appsec-900_confirm.png"></li></ol>

<h2 id="resolve">Resolving the File System Vulnerability</h2>
<div class="msg-box important"><img src="{{ site.baseurl }}/guides/m1x/images/icon-important.png" alt="important" align="left" width="40"><span><strong>Important</strong>: Magento strongly recommends you perform all tasks discussed in this section in a development or testing environment and <em>not</em> in a production environment.</span></div>
<p>To resolve this vulnerability, you must log in to the Magento server as a user with <tt>root</tt> privileges or as a user with permissions to change the web server configuration.</p>
<p>To resolve the vulnerability:</p>
<ol><li>Comment out the directive in <tt>httpd.conf</tt> by preceding it with a pound sign (#) as follows:<br>
  <pre># AddHandler application/x-httpd-php .php</pre></li>
  <li>Add a block similar to the following:<br>
    <pre>&lt;FilesMatch \.php$>
SetHandler application/x-httpd-php
&lt;/FilesMatch></pre>
    Some operating systems, like Red Hat Enterprise, might require different syntax such as:
    <pre>&lt;FilesMatch \.php$>
    SetHandler php5-script
&lt;/FilesMatch></pre>
    The regular expression in this setting matches <tt>.php</tt> only to the final extension in the file name, applying the handler only to PHP files and preventing PHP from executing.

  </li>
</ol>
</body>
</html>
